Answer the question
In order to leave comments, you need to log in
Q
Q
q2zoff2019-11-16 09:36:49
q2zoff, 2019-11-16 09:36:49
How to get information about the process that completed its work?
Hello.
As far as I remember, if the parent of the process terminates, then init becomes the parent. And how can you get information about the primary parent of a process if this parent has already completed its work? Is it possible to get information about the parent of the primary parent?
Assume that an attacker has gained access to the server. Then, in his ssh session, he performs a chain of forks that spawns a certain worker. So, how to spin up this whole chain, having only one PID of the worker?
1 answer(s)
@jenki
When the process ends, the OS (not always immediately) releases the resources it requested and everything that was associated with it. Only entries in the log files may remain.
With well-configured logging and auditing, it is much easier and more understandable.
S
Stanislav Bodrov, 2019-11-18 @jenki
if the parent of the process terminates, then init becomes the parent.What is init the parent of?
Is it possible to get information about the parent of the primary parent?Usually this is init.
When the process ends, the OS (not always immediately) releases the resources it requested and everything that was associated with it. Only entries in the log files may remain.
how to spin up this whole chain, having only one PID of the worker?If the process exists in one form or another, you can see the process tree and its ancestor. Only sense from this?
With well-configured logging and auditing, it is much easier and more understandable.
Similar questions
A
P
H
K
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question